We could define DDoS (Distributed Denial of Service) attacks as the exclusive appropriation of a resource or service with the intention of avoiding any third party access. Also included in this definition are the attacks destined to collapse a resource or system with the intention of destroying the service or resource. DoS attacks are born as a natural consequence of the Internet’s own architecture. It is not necessary to have great knowledge to carry out this type of attacks and it is not as risky as making a direct attack against a server, this type of attacks uses other intermediate equipment to then be able to erase traces.
For example: If a server has a bandwidth of 1mbps and a user has a bandwidth of 30mbps, this user could deny the server service by making many requests and dropping their bandwidth. There are three basic types of denial of service:
- Resource consumption: The attacker tries to consume the resources of the server until they are exhausted: bandwidth, CPU time, memory, hard disk …
- Destruction or alteration of the configuration: An attempt is made to modify the information of the machine. These types of attacks require more sophisticated techniques.
- Destruction or physical alteration of the equipment: Attempt to deny the service by physically destroying the server or some of its components, cutting the connection cable, or the power cable. We will focus on the first type of attacks.
The proliferation of tools has been growing thanks to the emergence of communities of intruders who, with a lot of organization and very little response time, manage to move from a beta version to their final version of their tools. This makes the difficulty of dealing with them increasingly greater. The tools used to create DDoS attacks are increasingly simple and easy to use for less experienced users, this also increases the number of attacks and the damage they cause.
Motivated for both financial and political reasons, DDoS attacks are becoming more prevalent. Although a first attack can occur in a random, these occur frequently when a attacker with specific knowledge of high value targets service decides to put it offline. This can cause panic and cause costly decisions, including the payment of a ransom, to prioritize and stop the attack.
If we analyze the operation of DDoS we will realize that there are no 100% reliable solutions against them. Current solutions are based on classic firewalls and intrusion detection systems.
The following are the 10 steps to mitigate against DDoS attacks:
Check the attack
Not all interruptions are caused by a DDoS attack. Incorrect DNS settings, Routing problems, and human error are causes of common network interruptions. First, system admins have to rule out these types of non-DDoS attacks and distinguish an attack of a common interruption. The quicker the verification that the interruption in the service is an attack DDos, a faster can response can be established. Even if the interruption was not caused for an erroneous configuration or other type of human errors, there may be other explanations that resemble a DDoS attack.
Contact the team leaders
Once the attack has been verified, contact the leaders of the relevant teams. If there is no quick reference sheet or contact list prepared earlier, create one now, which can be used as a template going forward. When a service interruption occurs, the organization may convene a formal conference call that includes several of the operational teams and of applications. If the organization has a procedure of this kind, use this meeting to officially confirm the DDoS attack on the leaders of equipment.
Define application hierarchy
Once the attack has been confirmed, reclassive the applications. When facing an intense DDoS attack with resources limited, organizations must make a decisions based-on the defined hierarchy. Online assets of highest value usually also generate high value gains. These are the applications that firms usually want to keep alive. Lower value applications, regardless of their level of legitimate traffic, must be disabled intentionally so that the processing, use of resources and network can be cleverly allocated to application services of greater value. Seek the opinion of team leaders before doing this.
Protect fellow associates and remote users
It is very likely that there are fellow employees or clients who require access to applications or networks. If still it has not done so, collect the IP addresses that they always use, defining access control based-on it, which needs to be regularly reviewed. It is possible that the white list has to be distributed to several places within the network, such as in the firewall, the Application Delivery Controller (Application Delivery Controller, ADC), and possibly even with the service provider, to ensure that the traffic to and from those directions is not disrupted. Many companies put TLS users VPNs in white lists or provide them quality-of-service Usually this is achieved in a integrated firewall / VPN server, which can be great importance if you have a significant number of remote employees.
Identify the attack
Now is the time to gather intelligence technique about the attack. The first question that should be done is: “What are the vectors of the attack?” If the attack is only volumetric, the Internet Service Provider will have informed the sysadmin and it may be that it has already taken actions to remedy the DDoS attack. Although, well-equipped organizations use existing monitoring solutions such as deep packet capturing devices, for a more deeper probe.
Evaluate mitigation options by original address
If step 5 above has identified that the campaign uses advanced attack vectors that the service provider can not mitigate (like zero-day attacks, vulnerability attacks on applications, or SSL injection scenario), then the next step become the next Question: “How many sources are there?” If the list of aggressor IP addresses is small, The system through the use of firewall can block them all. Another option would be to ask the ISP to widen the IP blocks of those targeting the local network. The list of aggressor IP addresses can be too big to be blocked in the firewall. Each address that are added to the block list will encourage processing and increase the CPU utilization. But it is still possible to block the attackers if everyone found in the same geographical region or within of a few regions that can be block temporarily.
Mitigate attacks against applications specific through patching
If the issue reached this step, then the DDoS attack is sophisticated enough to make the mitigation by address of ineffective origin. The attacks that fall into this category can have been generated by DDoS tools of varying quality, many of which are open source. These attacks look like normal traffic in layer 4, but they have anomalies that alter the services at the server, application, or database level.
Increase the level of security posture of applications
If this step is reached in a DDoS attack, levels 3 and 4 are already mitigated, has evaluated mitigations for application-specific attacks, and continues to experience problems. This means that the attack is relatively sophisticated, and its ability to mitigate will depend in part on the target applications. It is very likely that the organization is facing one of the most difficult modern attacks: the attack asymmetric to applications.
The best defense against these asymmetric attacks depends on the application. For example, organizations like financial institutions know their customers and are capable to use logon barriers to reject anonymous requests. Industry applications of entertainment as hotel websites, for On the other hand, many times they do not know the user that they agrees to make a reservation. For them, A CAPTCHA can be a better deterrent.
If all previous steps fail to stop the DDoS attack, the system admin may be forced to simply limit resources to survive the attack. This technique rejects both good and bad traffic. In fact, limit the capacity in many cases rejects 90 to 99 percent of desirable traffic at the same time that allows the aggressor to increase the costs of operations in a data center. For many organizations it is better to disable an application instead of just accepting defeat and unfairly increase cost of operations, like spending a lot for a bigger bandwidth allocation.
Manage public relations
Financial organizations, in particular, can have internal policies related to responsibility that prevent them from admitting when an attack is happening. This can become a situation complicated for the person responsible in public relations. Reporters, however, may not accept this type of evasions, especially if the site seems to be completely out of order. The organization may do the following:
- For the press. If the policies of the industry allow the organization to admit when they have been attacked from the outside, do it and be frank about it. Yes a policy dictates that the firm must divert questions, argue in a clever way against mostly IT-ignorant press, but be sure to prepare for the next press release. However, this is rather unlawful nowadays due to the security/privacy laws are operating in many territories, just like the European Commission’s GDPR (General Data Protection Regulation) and similar laws.
- For internal staff, including anyone that can be contacted by the press. The firm’s Internal communication team should give directions about what to say and what not to say to the media. Or better yet, tell staff members to direct all questions related to the event to the person in charge of Public Relations, include their contact number.